The “Gnu Privacy Guard Agent” is a service which safely manages your private-keys
in the background. Any application (e.g. the mail-client singning a message with
your key) don’t need direct access to your keyfile or your passphrase. Instead
they go trough the agent, which eventually will ask the user for the key
passphrase in a protected environment.

“PIN Entry” is used by “GnuPG Agent” and others to safely ask the user for a
passphrase in a secure manner. It works on various graphical desktop
environments, text- only consoles and terminal sessions.

Note

PIN Entry version 0.8.3 currently installed from the Ubuntu Software-Center
disables access to the clipboard for security reasons. Copy or paste of the
passhrase is not possible. Later versions allow clipboard access to be
enabled as option, although it is disabled by default.

“GPG Agent” and “PIN Entry” will not only make the handling of your keys more
secure, but also easier to use. You can set a time, during which you keys will
stay unlocked so you are not required to enter your passphrease again every time
they key is needed.

Whenever GnuPG needs a key to check a signature or to encrypt a message and the
public key is not already in our public key ring, that key is retrieved
automatically from the key servers. Also keys already in the key-ring must be
refreshed from the key-servers periodically to see if they have been revoked or
if there have been new signatures added..

This makes it very easy for 3rd-parties to watch with whom we communicate and
gives anyone watching our network automatic periodic updates of all the
contacts in our address-book.

Therefore all communication with the key servers should be encrypted. For this
we download the CA certificate of the SKS key server pool:

## Options for the GnuPG Agent## See the 'OPTIONS' section of 'man gpg-agent'## Program to use for entering passphrases
pinentry-program /usr/bin/pinentry-gtk-2
# Enable the OpenSSH Agent protocol.
enable-ssh-support
# Time in seconds, since last use of a GPG key, after which you will be asked to# provide your passhprase again.# Default: 600 (10 minutes)
default-cache-ttl 7200# 2 hours# Time in seconds after which you will be asked to provide your GPG key# passhprase again, regardless of the time since that GPG key has been used.# Default: 7200 (2 hours)
max-cache-ttl 86400# 24 hours# Time in seconds, since last use of an SSH key, after which you will be asked# to provide your passhprase again.# Default: 1800 (30 minutes)
default-cache-ttl-ssh 21600# 6 hours# Time in seconds after which you will be asked to provide your SSH key# passhprase again, regardless of the time since that SSH key has been used.# Default: 7200 (2 hours)
max-cache-ttl-ssh 86400# 24 hours

Over time the keyring will grow, especially if used with the auto-key-retrieve option we have set earlier. A large keyring my slow down operations
and lead to sluggish response of other applications like Thunderbird with
Enigmail.

Backup is very important. If you loose your private key or the passhprase for
it, everything encrypted will not be recoverable.

Backups of your private keys and key-rings should be stored on a encrypted USB
drive along with other important and protected files, like your KeepassX
password database, your personal TLS certificates and private keys and the ones
of your servers.